Improving the security of open banking and online payments

Open banking lets you give all of your bank and credit card transaction data to a third party – and in turn, they will hopefully do something useful with that data, such as aggregate all of your various accounts into one dashboard, or help you reduce your utility bills.

One concern with open banking, though, is the security of your data. If _you _can log into your online banking and send your data to a third party, you can be sure that hackers and online fraudsters are also trying to get their hands on that very valuable data.

Fortunately, open banking in the UK will be secured by something called strong customer authentication.

Strong customer authentication

The basic gist of strong customer authentication (SCA) is that it makes it a lot harder for someone who isn’t you to log in.

There isn’t one single way of performing strong customer authentication. Rather, to pass strong customer authentication, you must be able to provide two out of three criteria:

  • Something you know, like a password or PIN

  • Something you have, like a payment card or mobile phone

  • Something you are – a biometric, such as your fingerprint or iris scan

When you make a payment with your chip-and-PIN card at the supermarket, you are already using strong customer authentication (something you know plus something you have). The idea is to provide just as much security when logging into your online banking or a third-party personal finance management app.

So, for example, before sending your open banking transaction data to a third party, a financial institution might need your password _and _a special code sent to your mobile phone. Or they might use your fingerprint combined with a physical payment card.

Many British banks already offer this level of security through online banking or their mobile banking apps, but from September 2019 strong customer authentication will be mandated by European law (PSD2).

Online payments must use strong customer authentication, too

From September 2019, banks and other payment service providers must also provide strong customer authentication for making payments – so, when you buy something from Amazon with a credit card, for example.

According to the European regulation, payment service providers must send you a one-time password (via a text message or other means) that confirms the amount of your attempted payment and the beneficiary. If the details are correct, you can go ahead and use the one-use code to confirm the transaction.

In Belgium, where this process is already used, there has been a significant reduction in online fraud.

Exemptions for strong customer authentication

Strong customer authentication might sound great in theory – but in practice there are a few scenarios where you probably don’t need or want SCA. Imagine if you had to authenticate every direct debit payment for your council tax or your monthly subscriptions – that would be pretty annoying!

Generally, if a payment is initiated by a business or institution – as is the case with direct debits and recurring subscriptions – then strong customer authentication isn’t required.

You will also have the ability to whitelist a business that you trust, after performing at least one strong authentication. Future payments to that business won’t require extra authentication.